Archive for December 5th, 2013

By now, most IT administrators are aware that their networks and systems may require defenses against targeted attacks carried out by well-equipped, knowledgeable attackers. As companies prepare their plans for the upcoming year, some may ask: how does one develop a strategy on how to help defend against these attacks?

Earlier today, Japan’s Information Technology Promotion Agency (IPA) released a guide titled System Design Guide for Thwarting Targeted Email Attacks. The IPA is under the Ministry of Economy, Trade and Industry (METI) and is responsible for promoting information technology, including security best practices, in Japan.

This multipage document provides administrators with an in-depth strategy for helping deal with these attacks. While implementation details are left to IT departments to consider, the document provides ten separate steps that administrators can consider to help secure their networks.

In addition, the document does not just consider purely technical concerns: it is the work of malware analysts, security operations center (SOC) operators, researchers, forensics, penetration testers, operations managers, and crisis managers. This multidisciplinary approach ensures that all aspects of a potential attack can be recognized and the appropriate countermeasures and defenses put in place.

One aspect of targeted attacks that is useful to understand is that the attackers have a clear goal in mind – i.e., to infiltrate the networks of the target and acquire information. By understanding their goals and their psychology, it becomes easier to understand the tactics of attackers. This makes it easier to defend or detect their attacks, as well as force attackers to make mistakes.

Representing Trend Micro, I was part of the group that created this document; our expertise in malware, threat intelligence, and targeted attacks was useful in crafting effective techniques against these new threats.

Many countries – including Japan – have had government agencies and companies within their borders face targeted attacks. The response to these attacks has frequently been full of difficulties and challenges, making the task of attackers easier. We believe that documents like this that allow organizations to respond in a reasoned, systematic manner are valuable in reducing the threat from targeted attacks.

Posted in Targeted Attacks | Comments Off on Planning for 2014: A Guide To Targeted Attack Defense

Threats have evolved to try and circumvent advances in analysis and detection. Every improvement by security vendors is met with a response from cybercriminals. Stuxnet, for example, paved the way for the other threat families to use the LNK vulnerability. Using Conficker/DOWNAD popularized the use of a domain generation algorithm (DGA). This is now used by other malware families as well, including ZeroAccess and TDSS.

The goal of these evasion techniques is simple: to avoid early detection and allow an attacker to establish a foothold on target machines.

In our paper Network Detection Evasion Methods, we discuss how some threats attempt to thwart detection by blending in with normal network traffic. This includes connections to Google and Microsoft Update, as well as traffic produced by popular instant messengers such as Yahoo! Messenger. Below are some of the remote access Trojans (RATs) we found to have used this method in an attempt to remain under the radar:

FAKEM. This RAT is typically spread via spear-phishing emails and was found to disguise its network communication to mimic Windows Live Messenger, Yahoo! Messenger, and HTML traffic among others.

Mutator. Also known as Rodecap, which is reportedly associated with Stealrat botnet. It downloads Stealrat modules or components, and in some instances, may spoof its HTTP header by using “google.com” to blend with normal traffic.

While the list is not particularly long and the methods are simple, the paper shows the cybercriminals’ ability to adapt and upgrade their techniques. This stresses how they are continuously improving their methods and strategies to bypass network security in an attempt to take over systems and remain hidden from security researchers. For more information about these threats and tips on how to effectively detect malicious network traffic, you may read the full paper, Network Detection Evasion Methods: Blending with Legitimate Traffic.

Additional insights by Jessa De La Torre

Posted in Targeted Attacks | Comments Off on How Threats Disguise Their Network Traffic